b'                                              February 16, 2001\n\n\n\n\nMEMORANDUM TO:                William D. Travers\n                              Executive Director for Operations\n\n\n\nFROM:                         Stephen D. Dingbaum\n                              Assistant Inspector General for Audits\n\n\nSUBJECT:                      MEMORANDUM REPORT: REVIEW OF NRC\xe2\x80\x99S WEB SITE\n                              PRIVACY POLICY: INTERNET COOKIES (OIG-01-A-08)\n\n\nThis report provides the results of the Office of the Inspector General\xe2\x80\x99s (OIG) review of the\nNuclear Regulatory Commission\xe2\x80\x99s (NRC) web site privacy policy. OIG found that NRC\ncomplies with Federal web site privacy policies. NRC has its privacy statement disclosed on its\nprincipal web site. Neither NRC nor its third parties collect personally identifiable information on\nindividuals who visit its web site. Except for authorized investigations, and the gathering of site\nusage statistics, no other attempt is made to identify individual users or their usage habits.\nInformation is collected for statistical purposes only and include: the name of the domain; the\ntype of browser and operating system used to access the site; and the date and time the user\naccessed the site. However, NRC does not have a Management Directive covering this area.\nTherefore, the agency does not have policy guidance written in its directive system that\nestablishes controls over or prohibits NRC and third parties from collecting personally\nidentifiable information from visitors to the NRC web site. The report makes two\nrecommendations.\n\nPURPOSE\n\nThis review complies with the requirements of Public Law 106-554, Treasury and General\nGovernment Appropriations Act, 2001 (HR 5658), passed on December 21, 2000. The Act\nrequires the Inspector General of each department or agency to submit to Congress, within 60\ndays of its enactment, a report that discloses any activity of the applicable department or\nagency relating to: (1) the collection or review of singular data, or the aggregate lists that\ninclude personally identifiable information, about individuals who access any Internet site of the\ndepartment or agency; and (2) agreements with third parties, including other government\nagencies, to collect, review, or obtain aggregate lists or singular data containing personally\nidentifiable information relating to any individual\xe2\x80\x99s access or viewing habits for governmental\nand non-governmental Internet sites.\n\x0cBACKGROUND\n\nOn June 2, 1999, the Office of Management and Budget (OMB) issued Memorandum M-99-18.\nThis memorandum directed agencies to post:\n\n\xe2\x80\xa2      privacy policies to their agency\xe2\x80\x99s principal web site by September 1, 1999;\n\n\xe2\x80\xa2      privacy policies to any other known, major entry points to their web sites by\n       December 1, 1999, as well as any web page where they collect substantial personal\n       information from the public;\n\n\xe2\x80\xa2      policies that clearly and concisely inform visitors to the web sites what information the\n       agency collects about individuals, why the agency collects it, and how the agency will\n       use it; and\n\n\xe2\x80\xa2      policies that are clearly labeled and easily accessed when someone visits a web site.\n\nPersonal information is often collected at web sites in a file called a \xe2\x80\x9ccookie.\xe2\x80\x9d A cookie is placed\non a web user\xe2\x80\x99s hard drive by a web site to monitor access to the site, usually without the user\xe2\x80\x99s\nknowledge. Personal information can include an individual\xe2\x80\x99s name, e-mail address, postal\naddress, telephone number, social security number, and a credit card number. Cookies are\ncategorized into two main types: session and persistent. A session cookie is a file that tracks a\nuser\xe2\x80\x99s activity during a visit to a web site but expires when the user leaves the web site. A\npersistent cookie lasts a fixed period of time, possibly for years and across different web sites.\nPotentially, many laws enacted to safeguard a citizen\xe2\x80\x99s right to privacy would be violated by\nestablishing a persistent cookie.\n\nOn June 22, 2000, OMB issued Memorandum M-00-13, providing guidance relating to the\ncollection of information by Federal web sites using cookies. This OMB guidance states that\ncookies should not be used at Federal web sites unless clear and conspicuous notice is given\nand the following conditions are met: (1) there is compelling need to gather the data on the site;\n(2) the agency takes appropriate and publicly disclosed privacy safeguards for handling\ninformation derived from cookies; and (3) the head of the agency has personally approved the\nuse of cookies. In addition, the guidance requires that the agency incorporate privacy policy\ncompliance information into its annual budget submission, beginning in Fall 2000.\n\nRESULTS\n\nFederal privacy policy disclosed on NRC\xe2\x80\x99s principal web site\n\nNRC has a privacy policy statement posted on the home page of its web site that clearly\nadvises visitors of the use of personally identifiable information. In both August 1999 and\nDecember 1999, the privacy policy was reviewed by the Office of the Chief Information Officer\n(OCIO) to ensure compliance with M-99-18.\n\nOCIO reviewed the web pages where NRC requests personally identifiable information to\nensure: (1) that the privacy policy is posted and that the guidance and model language was\nused on the policy; and (2) that the policy is linked to all pages that request personal\n\n                                                 2\n\x0cinformation. Information is collected for statistical purposes only to include: the name of the\ndomain; the type of browser and operating system used to access the site; and the date and\ntime the user accessed the site. Further, NRC complied with the June 2000 OMB request to\ninclude privacy policy compliance information in the agency\xe2\x80\x99s information technology budget\nsubmission for FY 2002.\n\nCollection of personally identifiable information and agreements with third parties\n\nOMB guidance prohibits the use of cookies at Federal web sites without adequate notice.\nOCIO assured OIG that neither NRC nor its third party contractors send cookies. OIG tested\nthe web site for cookies both internally using NRC computers and externally from personal\ncomputers to verify that neither NRC nor its third party contractors send cookies. Our test\nprocedures were consistent with those used by GAO to conduct similar tests. Our tests results\nfound that, in compliance with OMB requirements, neither the NRC web site nor the third party\ncontractors place cookies on users computers, nor does NRC collect personally identifiable\ninformation. In addition to testing for cookies, OIG requested and received confirmation from\nNRC that none of its contractors involved with the NRC web pages send cookies. Given that\nthe National Laboratories are under the Department of Energy (DOE), we also confirmed that\nthe DOE OIG included the Laboratories in its audit for collection of personally identifiable\ninformation. Except for the gathering of site usage statistics, no other attempt is made to\nidentify individual users or their usage habits.\n\nHowever, in reviewing the agency\xe2\x80\x99s Management Directives, OIG found that the agency does\nnot have a directive to ensure the proper use of personally identifiable information. OIG was\ninformed by OCIO that the privacy policy will be included as part of Management Directive 2.6\nNRC Information Resources Management Program, which is currently being written. OIG was\nalso informed that NRC contracts do not presently establish controls over, or prohibit the use of\ncookies because the legislation was only recently enacted. However, agency managers\ninformed us that guidance covering the use of personally identifiable information will be issued\nin the near future.\n\nCONCLUSION\n\nNRC has a privacy statement that clearly informs users how NRC handles information during\nthe user\xe2\x80\x99s visit to the web site. There are links to the major pages in the web site back to the\nprivacy statement on the home page. Cookies are not sent to the user\xe2\x80\x99s computer to track any\npersonally identifiable information. Only an operational log is used to generate site usage\nstatistics.\n\nHowever, NRC should institutionalize its privacy policies in the agency\xe2\x80\x99s directives system. In\naddition, even though we were assured at the entrance conference that all future contracts will\ninclude language prohibiting persistent cookies, this prohibition should also be a written policy in\nthe agency\xe2\x80\x99s Management Directive system. These measures would increase public\nconfidence that NRC protects the privacy of citizens when they visit its web site.\n\n\n\n\n                                                 3\n\x0cMANAGEMENT COMMENTS\n\nAt the exit meeting on February 12, 2001, management agreed with our recommendations and\nprovided comments which have been incorporated in this report. Agency managers elected\nnot to provide written comments to the draft report. They also informed OIG of their plans to\nissue interim guidance to cover this area until the Management Directive system is updated.\n\nRECOMMENDATIONS\n\nOIG recommends that the Executive Director for Operations:\n\n(1)    Include language in a Management Directive and in future NRC contracts to establish\n       management controls over or prohibit NRC and third party contractors from collecting\n       personally identifiable information from visitors to the NRC web site.\n\n(2)    Incorporate guidance into a Management Directive by September 1, 2001.\n\nPlease provide information on actions taken or planned on each of the recommendations\ndirected to your office by March 16, 2001. Actions taken or planned are subject to OIG follow\nup.\n\nSCOPE/ CONTRIBUTORS\n\nThis review focused on whether the NRC was following OMB\xe2\x80\x99s Memorandum 99-18 and\nMemorandum 00-13 addressing privacy policies on Federal web sites.\n\nTo complete our objectives we evaluated NRC\xe2\x80\x99s web site to determine if the privacy policy was:\n(1) clearly labeled; (2) easily accessed; (3) informed visitors about the information NRC collects;\nand 4) posted at major Web pages within the web site. We also reviewed OMB\xe2\x80\x99s guidance on\nprivacy policies. We researched GAO reports and OIG reports concerning privacy and Internet\ncookies. We conducted interviews with staff as needed and reviewed all NRC pertinent\ndocuments concerning privacy and cookies. We tested to determine if NRC, its contractors, or\nthe National Laboratories were using cookies to collect personally identifiable information.\n\nWe evaluated the management controls with regard to NRC\xe2\x80\x99s web site privacy policy and\nconducted our work from January 2001 to February 2001 in accordance with generally\naccepted Government auditing standards. This review was conducted by Corenthis Kelley,\nTeam Leader, Beth Serepca, Audit Manager, and Vicki Foster, Management Analyst.\n\nIf you have any questions or concerns with regard to this report, please contact,\nCorenthis Kelley at 415-5977 or me at 415-5915.\n\nAttachment\nRecommendation Resolution Procedures\n\n\n\n\n                                                 4\n\x0ccc:   R. McOsker, OCM/RAM\n      B. Torres, ACMUI\n      B. Garrick, ACNW\n      D. Powers, ACRS\n      J. Larkins, ACRS/ACNW\n      P. Bollwerk III, ASLBP\n      K. Cyr, OGC\n      J. Cordes, Acting OCAA\n      S. Reiter, Acting CIO\n      J. Funches, CFO\n      P. Rabideau, Deputy CFO\n      J. Dunn Lee, OIP\n      D. Rathbun, OCA\n      W. Beecher, OPA\n      A. Vietti-Cook, SECY\n      F. Miraglia, DEDR/OEDO\n      C. Paperiello, DEDMRS/OEDO\n      P. Norry, DEDM/OEDO\n      J. Craig, AO/OEDO\n      M. Springer, ADM\n      R. Borchardt, OE\n      G. Caputo, OI\n      P. Bird, HR\n      I. Little, SBCR\n      W. Kane, NMSS\n      S. Collins, NRR\n      A. Thadani, RES\n      P. Lohaus, OSP\n      F. Congel, IRO\n      H. Miller, RI\n      L. Reyes, RII\n      J. Dyer, RIII\n      E. Merschoff, RIV\n      OPA-RI\n      OPA-RII\n      OPA-RIII\n      OPA-RIV\n\n\n\n\n                                   5\n\x0c                    Instructions for Responding to OIG Report Recommendations\n\n\nInstructions for Action Offices\n\nAction offices should provide a written response on each recommendation within 30 days of the date of\nthe transmittal memorandum or letter accompanying the report. The concurrence or clearance of\nappropriate offices should be shown on the response. After the initial response, responses to\nsubsequent OIG correspondence should be sent on a schedule agreed to with OIG.\n\nPlease ensure the response includes:\n\n1. The report number and title, followed by each recommendation. List the recommendations by\nnumber, repeating its text verbatim.\n\n2. A management decision for each recommendation indicating agreement or disagreement with the\nrecommended action.\n\n       a. For agreement, include corrective actions taken or planned, and actual or target dates for\ncompletion.\n\n         b. For disagreement, include reasons for disagreement, and any alternative proposals for\ncorrective action.\n\n        c. If questioned or unsupported costs are identified, state the amount that is determined to be\ndisallowed and the plan to collect the disallowed funds.\n\n       d. If funds put to better use are identified, then state the amount that can be put to better use (if\nthese amounts differ from OIG\xe2\x80\x99s, state the reasons).\n\nOIG Evaluation of Responses\n\nIf OIG concurs with a response to a recommendation, it will (1) note that a management decision has\nbeen made, (2) identify the recommendation as resolved, and (3) track the action office\xe2\x80\x99s\nimplementation measures until final action is accomplished and the recommendation is closed.\n\nIf OIG does not concur with the action office\xe2\x80\x99s proposed corrective action, or if the action office fails to\nrespond to a recommendation or rejects it, OIG will identify the recommendation as unresolved (no\nmanagement decision). OIG will attempt to resolve the disagreement at the action office level.\nHowever, if OIG determines that an impasse has been reached, it will refer the matter for adjudication to\nthe Chairman.\n\nSemiannual Report to Congress\n\nIn accordance with the Inspector General Act of 1978, as amended, OIG is required to report to\nCongress semiannually on April 1 and October 1 of each year, a summary of each OIG report issued for\nwhich no management decision was made during the previous 6-month period. Heads of agencies are\nrequired to report to Congress on significant recommendations from previous OIG reports where final\naction has not been taken for more than one year from the date of management decision, together with\nan explanation of delays.\n\n\n\n\n                                                      6\n\x0c'